Customer Centric Banking - PwC

3y ago
83 Views
2 Downloads
6.74 MB
12 Pages
Last View : 5d ago
Last Download : 10m ago
Upload by : Nixon Dill
Transcription

www.pwc.co.uk/gdprCustomercentric bankingAligning the GDPRand PSD IISpring 2017

ContentThe Challenge.1The GDPR.2Individual ownership of data.2Key elements of the GDPR.2Demanding timelines.2Stiff penalties for failure to comply.2The UK is behind.2The Payment Service Directive II (PSD II).3Open third party access to data.3The value of payments is in the data.3Context and metadata.3Digital transformation.4Dumb pipes.4Platforms and marketplaces.4APIs are the pathway to digital transformation .4Connecting PSD II and GDPR.5Consent, purpose and duration.5Consent.5Purpose.5Consent must be informed consent.5The right to be forgotten.5Audit trail.5Successful implementation of PSD II and GDPR.61) First of all, stop resisting.62) Take a risk based approach.63) Become stewards of your customer data.64) Get good at data governance.65) Remove silos.76) Integrate regulatory and innovation initiatives.77) Automate onboarding and offboarding of partners.78) Monitor your audit trail.7Conclusion: get ahead of the game.7

The challenge: GDPR v’s PSD IIManaging a large book of regulatory projects alongside agrowing book of digital and simplification initiatives isalready a considerable challenge for most Financial Servicesorganisations. This challenge is now made even steeper bytwo regulations, the Payment Services Directive II (PSD II)and the General Data Protection Regulation (GDPR) thatappear to be pulling in opposite directions. While the PSD IIrequires banks to open customer account and transaction datato third parties via open APIs, the GDPR imposes rigorousrequirements for them to protect customer data as well asstringent penalties for failure to do so.Actually, these two regulations are closely related. Theseregulations are expected to be effected into European lawwithin six months of each other i.e. in January and May 2018respectively. Organisations should be looking to implementthese regulations in an integrated manner rather than in silos.In this paper, we discuss the core elements of a successfulimplementation strategy for the GDPR and PSD II programmesin the industry.PwC Customer centric banking 1

The GDPRIndividuals ownership of dataDemanding timelinesThe GDPR seeks to achieve two fundamental objectives:Solutions that are launched after the GDPR has beenimplemented in May 2018 must meet the requirements fromday one and existing solutions must be adapted to meet therequirements following a transitional period.1. Strengthen the rights of the individual over their data.2. Hold businesses responsible for ensuring a higher standardof privacy.The GDPR focuses on the individual’s right to own their data.Anyone using the individual’s data must obtain theindividual’s consent for a specific purpose and duration.Key elements of the GDPRThe key elements of the regulation are:Privacy by design – Solutions must bedesigned, developed, implemented, operatedand maintained with privacy in mind.Stiff penalties for failure to complyTo ensure that businesses prioritise GDPR compliance, theregulation introduces potentially hefty fines – up to 4% ofglobal revenue for non-compliance or 20m euros, whicheveris higher.The UK is behindAn update of UK data privacy legislation has been longoverdue as the last comprehensive legislation, the 1995 dataprivacy acts, predates google. Several other EU countries haveupdated their privacy rules more recently than 1995, soorganisations in the UK might find it more demanding toimplement the GDPR than their peers in certain EU countries.The GDPR gives the individual the power to request their datato be handed back to them. Current UK legislation does notrequire this.Right to be forgotten – Equally solutionsneed to have the functionality to ‘remove’ anindividual’s data.Data portability – The consumer must beable to retrieve their data in a readable/logical format (so that they may reuse it withanother vendor).2 Customer centric banking PwC

The Payment Service Directive II (PSD II)Similar to the GDPR, PSD II will strengthen individualownership of their own data by allowing the individual tochoose the third party for payment initiation and account dataservices. Since the regulation has been designed to fostercompetition and innovation in payments services.Open third party access to dataWith a PSD II licence, the external providers (including otherbanks) can:1. Initiate payment transactions on accounts held by thebank’s customers using the bank’s APIs. The regulationrefers to these third parties as Payment Initiation ServiceProviders (PISP).2. Use the bank’s APIs to analyse a customer’s accountbalance and transactions in order to offer valued addedservices such as providing financial advice or productrecommendations. The regulation refers to these thirdparties as Account Information Service Providers (AISP).The key purpose of the PSD II is to allow banks to facilitatethird party access to client accounts, it requires nondiscrimination. In other words, any third party with aregulatory approval to be a PISP or AISP can use a bank’srelevant APIs to provide services to the customer.Banks cannot refuse to give access to licensed third partiesalthough it remains to be seen whether the regulators maydilute this provision in the future.The value of payments is in the dataPSD II may be a concern for banks, but it also represents asignificant opportunity for banks to establish themselves bothas a PISP and an AISP and compete with other banks andplayers hoping to seize the market.This may be a good strategy considering no one has moreexperience handling payments and financing than banks.What makes ‘payments’ important is not the capitaltransaction (the transfer of money). Bank’s margins onpayments transaction will get thinner and thinner ascompetition increases. The real opportunity to add value is inharvesting and analysing real consumer data to offerinnovative products and services.For example, Square, a US based payments company startedout as a mobile PoS terminal provider but rapidly branchedout into working capital loans using sophisticated analyticsand prediction.Context and metadataDigital marketers and surveillance agencies such as the UnitedStates NSA have known for years that while there isinformation in our emails, phone calls, chats and tweets, thereis often even more valuable information in the context inwhich we communicate. Similarly, when it comes topayments, context information is even more valuable than theinformation embedded in the transaction itself.Increasingly, the value of payments information is the abilityto understand the context in which the consumer makes thepurchase decision and to influence the moment. This contextinformation includes: What did they buy; Where did they buy it; When did they buy it; What the weather was like at that moment; What mood was the consumer in; What did they post on social media before or afterthe purchase; Where had they been right before the purchase; Who were they with; and What did the others buy at the same time.The moment where the consumer is about to spend theirhard-earned money is important for a few reasons. At theinstant that a consumer decides to pay, they are making acommitment, generally with much more focus and attentionthan when they send an email or post a tweet. The time whena payment is made is also generally, a perfect time to:1. Direct marketing (preferably via mobile platforms);2. Offer financing (preferably via mobile platforms);3. Gather data about consumer’s buying behaviour; and4. Offer valuable advice and transition from a deposit taker totrusted advisor.We could infer that the next generation of privacy rules willfocus on privacy of context and metadata. The ability tocapture, analyse and process vast payments and contextinformation and meta-information will provide all parties in adigital ecosystem one critical source of competitiveadvantage, as long as they can demonstrate awareness andrespect for individual data privacy.PwC Customer centric banking 3

Digital transformationThe scenario of banks turning into dumb pipes is oftenoverstated and there is a historical reason for that. Indeed,digital transformation has always been a steep challenge formost incumbent organisations in any industry. In fact, only somany examples can be found where an incumbentorganisation has succesfully transformed itself to competesuccessfully against digital-first disruptors. Even in thecapital intensive airline industry that has very high barriersto entry, digital transformation initiatives have taken over adecade to yield results.Despite the dire predictions, so far incumbent FinancialServices organisations have stood their ground well against thedisruptors. Outside of China and India, waves upon waves ofFintechs such as P2P lenders, new payments providers likeTransferwise and Ripple and now mobile only banks have so faronly made a minor dent in the walls of the formidable fortressesthat the big banks are. However, with the nimble, innovativeand digital-first Fintechs finding progressively greater capitalinvestment and regulatory support in most markets, the threathas continued to grow, and digital transformation is no longeran option for Financial Services organisations.Financial services firms see the mainpotential of FinTech investment over thenext three years to be in:Processautomation1Dataanalytics2Source: Q4 2016 CBI/PwC survey4 Customer centric banking PwCIt may appear that in a post PSD II environment, Banks (ASPSPs)would be at a risk of essentially functioning as Account andDeposit holders for customers, and mainly providing access tothird parties (PISPs and AISPs) that own the customerinteraction on the front end. In this scenario, Banks willessentially provide infrastructure similar to utilities whereasTPPs capture the high margins and customer mindshare fromowning the user experience of value added services.For example, the banks’ telephone, mobile and internetbanking services will face stiff competition from innovativestartups, telecoms organisations, retailers, Silicon Valleycompanies and others. Our latest CBI/PwC survey found that71% of banks see competition coming from new entrants (thehighest since the Survey began in December 2006).This scenario is bearable only for a small number of sprawlingbanks that derive their revenue primarily from interest rates onlending. However, for most banks under growing pressure fromshareholders to create new revenue and increase their returnon equity, becoming a ‘dumb pipe’ is not an acceptable outcome.Indeed, banks today are quite concerned about the risk ofbeing reduced to pure infrastructure providers or ‘dumbpipes’, in the same way that telecoms network providers likeAT&T and Sprint were turned into pipes and plumbing forcommunications by smartphones from Apple.Platforms and marketplacesDue to the complexity of transforming critical legal,technology and data infrastructure, recent years have seenthe emergence of the bank as a marketplace, or the bank asplatform business model. These models generally seek to takeadvantage of the bank’s data, access to customers andstrengths in regulatory compliance and resilience whilecreating a digital system where nimble and agile Fintechs canquickly deliver innovative services to the bank’s customers.Inspired by the stunning success of Apple and Amazon inbuilding content and retail ecosystems, these business modelslook to transform incumbent financial services organisationsfrom monoliths into thriving financial ecosystems.3DigitaltransformationDumb pipesSimilarly, recent years have seen extensive discussion aboutthe Uberisation of just about everything. Inspired by the rapidmarket dominance of Uber, Airbnb and Spotify that collect aper transaction fee merely by connecting consumers andservice providers using asset-light digital platforms, banks arestarting to think beyond merely controlling access to customerdata and payments rails and opening these assets up to thirdparties to increase ROE by reducing the asset base andimproving their asset turnover (sales/assets).APIs, the pathway to digital transformationAn API based architecture, essentially mandated by PSD IIprovides the simplest pathway to transforming a sprawlinglegacy bank first into a platform (like Facebook), and then intoa marketplace (like Amazon). While varying widely in theirquality and scope of implementation, almost all major bankscurrently have open API initiatives that will allow third partydevelopers to use APIs to build innovative consumer facingapplications. Many banks state that they have had internal APIplatforms for years, that the technology and controlssurrounding these APIs are mature and well understood andthat opening up APIs to third parties in a careful andconsidered manner is the logical next step.

Connecting PSD II and GDPRConsent, purpose and durationThese three concepts form the core of a GDPR compliant PSDII implementation. While digital marketers will naturally beexcited about the opportunity to cross-sell services toconsumers by capturing data and context metadata, the GDPRessentially forbids doing so without clear consumer consentlimited by both a clear purpose and duration. Above all, aconsumer can withdraw consent they provided earlier, andthereby request the removal of all personal data in thepossession of a bank or a third party.This is especially critical so that the accountability for anymisuse can be assigned correctly, for example, when a thirdparty may be at fault. Let’s go through these concepts in turn.ConsentThe key to being able to collect and leverage consumer datarequires making sure that the organisation and its thirdparties have specific consent from the consumer for their dataused in a transparent manner.PurposeThe consent should capture the broad parameters of how thedata may be used. If such data is to be shared with thirdparties, consumer agreements must capture with whom thedata may be shared and how it may be used by third parties.Consent must be informed consentAny legal agreements or T&Cs must be adequately clear andspecific so that the consent of the user can be characterised asinformed consent. Further, if the user journeys involving thecapture of consent information obscure what the customerneeds to know e.g. through unusually long agreements or toomany clicks, a privacy lawyer can in theory even argue thatthe consent was not really informed consent.The right to be forgottenThe GDPR gives every individual the right to revoke theirconsent. Businesses must be able to stop using the consumer’sdata for which the consent has been revoked and in somecases remove the data altogether from the organisation.Open Banking increases probabilityof incidents, GDPR increases severityof impactPSD II allows third party actors to provide the public with accessto financial data and services that traditionally the bank directlycontrolled. Given the objective of creating fair and open accessfor third parties, the regulation does not provide a framework tohave contractual liabilities in place, so the bank has little controlover how these 3rd parties will operate or behave. Some of thepotential exposure scenarios are:1. A third party uses the bank’s data to engage in misselling(potential Conduct Risk implications)2. A third party violates the terms of a customer’s consent forthe use of data3. A third party enables hackers to bypass the bank’scybersecurity controls4. A third party aggregates and sells customer data to otherthird parties, potentially even in sanctioned jurisdictions5. A third party combines a customer’s social and transactiondata to mine their identity information and engages inidentity fraud, or worse6. A third party exposes the bank’s API to denial of serviceattacks, leading to severe difficulty for customers whoneed access to payment servicesIn all of these scenarios, the main risk exposure to the bankcomes from their role as the custodian of the customer’s dataand the owner of the customer relationship. Even if it is a thirdparty that fails to manage their GDPR obligations, thereputational risk may lie predominantly with the incumbentbanks because they have the reputation to lose in the firstplace, as opposed to let’s say a startup using the API. Even ifthe banks can position themselves to avoid actual directfinancial liability under GDPR

banking services will face stiff competition from innovative startups, telecoms organisations, retailers, Silicon Valley companies and others. Our latest CBI/PwC survey found that 71% of banks see competition coming from new entrants (the highest since the Survey began in December 2006). This scenario is bearable only for a small number of sprawling banks that derive their revenue primarily .

Related Documents:

PWC Driving Licence In NSW it is compulsory for every person driving a PWC to hold a current PWC driving licence. There are two types of PWC driving licence: 1. PWC driving licence for those aged 16 years and over. 2. Young Adult PWC driving licence for people aged from 12 to less than 16 years. A Young Adult PWC driving licence

Pro:Centric Direct interactive features are available with IP connectivity. Easy Code Editing with HCAP API Customized UI & Interactive Service Pro:Centric Smart TV API SI Application IP Pro:Centric (Middleware Platform) Pro:Centric Hotel Management Solution The WU960H is the latest in the line of Pro:Centric TVs that provide a unique and .

On May 12, at approximately 2:30 pm, two personal watercraft (PWC) were operating in Biscayne Bay. The PWC were jumping the wakes of other vessels in the area. PWC #1 jumped the wake of a vessel and . Boating Accidents Statistical Report PWC (private) 128,319 98% PWC (rental) 2,838 2% PWC O WNERSHIP BY R EGISTRATION Private vessels 694 / 77% .

Initial Temp of PWC was(27 ), and Electric Heater exchanges its thermal energy to PWC, a PWC heated up to melting Temp(saving energy as a sensible heat). After that, the heat stored as latent heat, thus the PWC melts and becomes liquids phase. Then the energy saved as sensible heat as a liquids phase PWC. The Temp PWC is registered at a period of

In this document, "PwC" refers to PricewaterhouseCoopers Priv ate Limited (a limited liability com MS 219-September 2011 S&R .indd Designed by: PwC Brand and Communications, India www.pwc.in Contacts Shashank Tripathi Executive Director 91 98196 78900 shashank.tripathi@in.pwc.com Anurag Garg Senior Manager 91 9711701799 anurag.garg@in.pwc .

PwC Retail Banking 2020 5 Against this background, 70% of global banking executives believe it is very important to form a view of the banking market in 2020 – to understand how these global trends are impacting the banking system

Key words: Internet Banking, Electronic Banking, Digital Banking. 1. Introduction: Digital banking means the digitalization of all traditional activities of bank through ATM machines, debit cards, credit cards, mobile banking, electronic banking, virtual cards and others. With the help this instruments the consumer doing bill payments, with

PwC New Zealand Banking and Capital Markets Leader T: 64 9 355 8119 M: 64 21 976 949 E: sam.shuttleworth@nz.pwc.com. Introduction PwC Capital Markets 2020 5 As global interconnectivity and ubiquitous access to financial markets increase, we see a wo